Getting 401.2 error with IIS basic authentication instead of a password prompt

http-basic-authenticationiis-7.5iis-8

When I deploy a web site locally in IIS on Windows 7 with a section in web.config allowing a single local user to authenticate, it works fine.

<authorization>
    <allow users=".\test01" />
    <deny users="*" />
</authorization>

Navigating to https://localhost:5555/testPage I get a pop-up for the credentials and entering .\test01 with its password puts me into the page.

However when deploying the same site to a WS 2012 R2 Standard in a workgroup, and only changing the user name to the local user created by the sysadmins, I do not get a login pop-up when accessing the exact same URL. Instead I get a page with 401.2 error "not authorized" in IE and below in FF:

401 – Unauthorized: Access is denied due to invalid credentials. You
do not have permission to view this directory or page using the
credentials that you supplied.

Initially the sysadmin created the user with local logon denied, but then we turned that off for troubleshooting and still got the same issue.

Commenting out the section in web.config allows me to browse the page.

If it matters, the site is running as an application both on my local and on the server.

What could be causing the authentication issue like this?

Best Answer

Just figured that in IIS 8 basic auth is not installed by default. It needs to be installed by running an elevated command-prompt or PowerShell:

dism /online /enable-feature /featurename:IIS-BasicAuthentication

as per How do I enable Basic Authentication for IIS 8 in Windows Server 2012 and then enabled in IIS manager.

Related Solutions

Ssl – Getting 401 when using client certificate with IIS 7.5

I was getting the same error when i added the mappings at the application config. I saw this post http://blogs.msdn.com/b/rakkimk/archive/2009/07/08/iis7-configuring-iisclientcertificatemappingauthentication.aspx and moved my mapping entries to the website level and they get inherited by the application underneath and i only enabled IISClientCertificateAuthentication at the application level (disabled at the website level) and it started working.

Try moving the mappings to the configuration of the web site level and enable the client cert authentication at the application level. Good Luck and Happy New Year!

How to configure two sites on same IIS 7.5 server for a single ASP.NET web application with different authentication modes

ASP.NET does not support having multiple built-in authentication modules at once. This is prominent in the documentation, <authentication mode="[Windows|Forms|Passport|None]" ...>

Solutions:

Build a custom IHttpModule which handles authentication.
Separate your application into two web applications in your IIS, which point towards two different directories with different configuration files. This is the easiest solution.
Separate your application into two web applications in your IIS, but point both of them to the same directory. You will need to remove the authentication- and impersonation settings from the web.config residing in the directory, and move these into the system-wide web.config (%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\Config\web.config or similar). These settings must be wrapped by location-tags using the name of the IIS-site.

Example:

<location path="My Awesome Site - Forms">
    <system.web>
        <authentication mode="Forms" />
    </system.web>
</location>

<location path="My Awesome Site - Windows">
    <system.web>
        <authentication mode="Windows" />
        <identity impersonate="true"/>
    </system.web>
</location>

Related Topic